Date: Thu, 18 Jul 2002 10:40:02 +0200 From: Stefano Riva <sriva@gufi.org> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: Luigi Rizzo <rizzo@icir.org>, ipfw@FreeBSD.ORG Subject: Re: Ouch! ipfw log and DoS Message-ID: <3.0.5.32.20020718104002.00907de0@civetta.gufi.org> In-Reply-To: <20020717174919.GB25404@blossom.cjclark.org> References: <20020717102119.A12639@iguana.icir.org> <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> <20020717022619.A8351@iguana.icir.org> <20020717165807.GA25404@blossom.cjclark.org> <20020717102119.A12639@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10.49 17/07/02 -0700, Crist J. Clark wrote: >There's still IPFIREWALL_VERBOSE_LIMIT and 'logamount' to save you >from such a fate. >If you disable log limiting AND misconfigure your rules to create >feedback loops, I would have no sympathy for you. Maybe I miss something, if so please correct me, but it seems to me that this "problem" isn't related only to feedback loops. At least on a production firewall IMO you should always enable log limiting, and if you enable it you have to reset it periodically... so in practice you're rate-limiting it. I don't know if in an ideal world this job should be ipfw's or syslogd's, but I for sure would like to be able to do it in a "cleaner" way rather than, let's say, using a CRON job. After all, with IPFIREWALL_VERBOSE_LIMIT we already have a way to specify an "absolute limit" for ipfw logging, so why don't we add an option to obtain a rate limit? Not enabled by default, of course. --- Stefano Riva (sriva@gufi.org) Gruppo Utenti FreeBSD Italia - http://www.gufi.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20020718104002.00907de0>